Atlas

Target IP: 10.10.191.61


Scanning

7b938cd3e718c1e99559f98cd97f931d.png
dbbc7d7a8a7e2114d733162f1d809f54.png
There are three TCP ports open on the target machine. It seems like the target machine is running a Windows machine.


Enumeration

Port 8080: HTTP
5c7c93127635022bd76533b588dab820.png
There is a web application on this port. Browsing to this port requests me to login with a username and password. From the nmap scans, and curl request above, it looks like the target machine is running ThinVNC application. Trying default credentials such as admin:admin did not work.

161cd245d36d73792e834c90a0ac08a4.png
This application is vulnerable to arbitrary file access. And this article contains the PoC that can be used to access the credential of this application.


Exploitation

9197cb8ab069cc93217daa1987834614.png
Following the article's PoC, I managed to obtain the credential Atlas:H0ldUpTheHe@vens by sending a request to /admin/../../ThinVnc.ini. Now I have the credential, I should be able to login to the ThinVnc application.

c3f61ee2badb7653feebeaceaf218a1e.png
And using the credential I obtained, I gained access to the application. It looks like I can input an IP of the machine I wish to connect to; therefore, I should be able to connect to the target machine using the IP 10.10.191.61.

7dd24458a225403468b83db7aa7d20f6.png
And bingo! I have a VNC session over the Windows target machine. Using the credentials, I should be able leverage this to an RDP session on port 3389 which is open on the target machine.

4ed28f5cf74abd76d8e473dab8e3fa7e.png
Using the command xfreerdp /v:10.10.191.61 /u:Atlas /p:H0ldUpTheHe@vens /cert:ignore +clipboard /dynamic-resolution /drive:share,/tmp, I gained an RDP session over the target machine with the session as atlas. Now I have a foothold on the target machine.


Privilege Escalation

b1ccc4929505389ff31557df2333fce4.png
After some manual enumeration, it looks like the target is vulnerable to the Windows Print Spooler Remote Code Execution. I transferred this exploit to the machine and ran it successfully. This exploit created the account adm1n:p@ssw0rd with admin privileges.

5d817143a089b213ddcba03431b09913.png
Using the command Start-Process powershell 'Start-Process cmd -Verb RunAs' -Credential adm1n, I started a Powershell session as the new admin user. And it looks like this user is a member of group Administrators! Now I have full access over the target machine.

b4c8baaf9be1d45c43ddf32fd58b87ef.png
I transferred mimikatz to the target machine to obtain the NTLM password hashes. In the picture above, I managed to obtain the NTML hash of the user account Administrator.